Chapter 9

Configuring a Mac computer for smart card login

This chapter explains how to set up smart card login for a Mac computer.

Understanding smart card loginSmart cards provide an enhanced level of security authentication for logging into an Active Directory domain. To configure a smart card for use on a Mac computer that is running the Centrify agent, requires that you have already set up a smart card for use in a Windows domain. You do not need to add any smart card infrastructure to the Mac computer, other than a smart card reader and a provisioned smart card.

In a Windows environment, a smart card may be set up either for a single user account or for multiple user accounts. For example, an individual contributor might have access to a single Active Directory account that he uses for all his work. In this case, the card is set up for a single user and the card is linked directly to a UPN. When a user inserts the card to log on, the smart card system looks for the UPN in Active Directory and prompts for a PIN.

Windows 2008 also provides a name-mapping feature that enables configuring a smart card with multiple user accounts. For example, a user might want to log in with a regular account to check mail or perform routine tasks, but log in with an administrator’s account to perform privileged tasks. To set up a card for multiple users, an administrator maps a certificate to each user account on the card. When a user inserts the card to log on, the smart card system prompts the user to select which account to use, and prompts for the card’s PIN.

If you have set up smart card login for Windows clients in a domain, you can use Access Manager to configure smart card login for Mac clients joined to the same domain. If you have provisioned a smart card for use on a Windows computer — either for a single user or multiple users — once you configure smart card support for a Mac computer, you can use the same smart card to log in to a Mac computer.

353

Supported smart card profiles

Note Configuring smart card support in Access Manager is nearly the same for a single-user or multi-user card with the exception that for multi-user cards, you must set an extra configuration parameter as explained in Enabling support for multi-user PIV and multi-user smart cards.

Setting up a single user smart card login for Windows requires either:

Microsoft enterprise root certification authority; see the Microsoft TechNet article: Install an enterprise root certification authority.

A third party certification authority — see the Microsoft KB article: Guidelines for enabling smart card logon with third-party certification authorities.

Setting up a multi-user smart card login for Windows requires mapping the certificate on the card to the users who the card is associated with. See the following Microsoft Technet Blog post: “Mapping One Smart Card to Multiple Accounts” for more information on how to do this.

For more information about how Access Manager supports smart card log in, see the following video chalk talks:

Smart Card for Mac Part 1: Introduction to Active Directory Integration, which provides a basic introduction to smart card for Access Manager.

Smart Card for Mac Part 2: Architecture & Authentication Flow, which provides technical details about the Access Manager implementation of smart card.

Supported smart card profilesCentrify supports the following smart card profiles to log in to Active Directory on Macs in the same fashion as Windows systems, ensuring strong authentication and single sign-on to other applications and services for Active Directory users.

CAC

CAC NG

PIV

PIV-I

Administrator’s Guide for Mac 354

Configuring smart card login

USB PKI Keys

To verify the profile used by your smart card

Insert the smart card into the reader and the keychain for the smart card certificate appears in the Keychains window, whose name is in the form, CardProfile-CardNumber. For example:

If the new keychain does not appear, quit and restart Keychain Access.

Configuring smart card loginCentrify provides group policies, configuration options, and account options to perform the following smart card configuration tasks.

Note Before configuring smart card login, refer to Verifying prerequisites for configuring smart card login to ensure your environment meets all the prerequisites.

Verifying prerequisites for configuring smart card login

We recommend configuring your Active Directory domain and forest to use AES-128 or AES-256 encryption for Kerberos in order to ensure you can configure smart card login. DES and RC4 encryption are no longer

Chapter 9 • Configuring a Mac computer for smart card login 355

Configuring smart card login

supported. Other prerequisites for enabling smart card support differ depending on whether you have configured a single-user or multi-user smart card.

For a single-user card, before enabling smart card support, make sure you do the following:

Provision a smart card with an NT principal name and PIN. Refer to Supported smart card profiles to verify that the profiel on your smart card is supported by Centrify.

Verify that the Active Directory Zone user’s UPN matches the UPN on the smart card.

For a multi-user card, before enabling smart card support, make sure you have the following in place:

A Windows Server 2008 or above domain controller for authentication.

The card is not configured with a UPN. If a card with a UPN is inserted, the Mac prompts for a PIN rather than prompting for a username and password.

An administrator has added the certificate on the card to the name mapping for the users the card is associated to. See the following Microsoft Technet Blog post: “Mapping One Smart Card to Multiple Accounts” for more information on how to do this.

For either type of card, verify that the public key infrastructure to support smart card login is operational on the Windows computer running Active Directory and Access Manager. If the user is able to log in to a Windows computer with a smart card, and you have a card reader and a fully-provisioned card for the Mac computer, the user should be able to log in to the Mac computer once you configure it for smart card support.

Enabling smart card support (including authentication via YubiKey tokens)

Smart card and YubiKey token support requires configuration changes to Mac OS X. Enabling the relevant policies makes the required changes to Mac configuration files.

Administrator’s Guide for Mac 356

Configuring smart card login

To enable smart card support for logging on

1 Make a backup of the authorization database by exporting it to a plist file on all computers for which you are enabling smart card login support. Enabling the group policy Enable smart card support causes edits to this file, so you should create a backup to be safe.security authorizationdb read system.login.console > system.login.console.backup.plist security authorizationdb read authenticate > authenticate.backup.plist

2 Create or edit an existing Group Policy Object linked to a site, domain, or OU that includes Mac computers.

3 In the Group Policy Management Editor, expand Computer Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security, then double-click Enable smart card support.

4 Select Enabled to enable smart card support.

This group policy adds smart card support to the authorization database on Mac computers that are linked to the group policy object. This policy also creates a text file named /etc/cacloginconfig.plist on each computer.

This configuration file directs the Mac smart card log-in to look for a user in Active Directory with a user principal name (UPN) that is the same as the NT Principal Name attribute in the smart card log-in certificate.

Note The /etc/cacloginconfig configuration file for use with Access Manager and Active Directory is different from the default configuration file provided by Apple.

5 Select Enable YubiKeys as a smart card to enable authentication using a YubiKey PIV token.

Enabling YubiKeys as a smart card installs Yubico’s libccid to enable communication to the YubiKey using CCID protocol. To authenticate with a YubiKey PIV token, the certificates issue to the YubiKey must be part of a domain that is already provisioned and setup to accept PIV smart cards. See https://www.yubico.com/support/documentation/ for more information about YubiKeys.

Chapter 9 • Configuring a Mac computer for smart card login 357

Configuring smart card login

After reboot, the computers linked to the group policy object are ready for smart card use. Complete the procedure in the next section if you plan to use multi-user smart cards with your Mac computers, or go to "Enabling screen locking for smart card removal" on page 9-365 to enable screen locking when the smart card is removed from a computer.

Enabling support for multi-user PIV and multi-user smart cards

If you plan to use multi-user PIV cards or multi-user smart cards with a Mac computer in your domain, you must make the following changes in your environment.

Configure Active Directory to support multi-user PIV cards and multi-user smart cards

Configure Centrify Corporation to support multi-user PIV cards and multi-user smart cards

Note Making the following changes results in an environment that supports multi-user PIV card login, which means users always need to provide a unixname or UPN. Single-user PIV cards will continue to work; however, those users will be required to provide a username. Military CACNG cards will no longer work if you change your environment to support multi-user PIV cards.

Configure Active Directory to support multi-user PIV cards and multi-user smart cards

The following steps are necessary to support multi-user PIV cards and multi-user smart cards in Active Directory.

On the computer acting as the Key Distribution Center (KDC), set the following registry key to 0 to disable UPN mapping:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\useSubjectAltName

Export the user smart card certificate and enable name mapping to the users associated with the card. Refer to the following Microsoft Technet Blog post: “Mapping One Smart Card to Multiple Accounts” for more information.

Administrator’s Guide for Mac 358

Configuring smart card login

Configure Centrify Corporation to support multi-user PIV cards and multi-user smart cards

From the Group Policy Management Editor, enable the Disable smart card UPN mapping policy to prevent the login UI from greeting the UPN user identified on the PIV card. This policy is found at Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy. Refer to "Security & Privacy" on page 7-193 for additional information.

Tip Alternatively, you can use the sctool command-line tool to disable smart card UPN mapping on an individual Mac for testing or evaluation purposes.

To disable smart card UPN mapping with sctool: sctool -u '###'

To enable smart card UPN mapping with sctool: sctool -u 'NT Principal Name'

On the Mac computer where you want to enable support for multi-user PIV cards, set the smartcard.name.mapping parameter in the /etc/centrifydc/centrifydc.conf file to true.

Enabling smart card support for sudo

This group policy configures sudo to require the smart card PIN for authentication instead of the user’s password. The user must be configured in the sudoers file and a smart card corresponding to the user must be presented at the time sudo is run.

If the smart card keychain is unlocked when sudo is run, sudo will not prompt for the PIN for authentication.

To enable smart card authorization for sudo

1 Make a backup of the following files.

/etc/pam.d/sudo

/etc/pam.d/sudo.pre_cdc

2 Create or edit an existing Group Policy Object linked to a site, domain, or OU that includes Mac OS X computers.

Chapter 9 • Configuring a Mac computer for smart card login 359

Configuring smart card login

3 In the Group Policy Management Editor, expand Computer Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy, then double-click Enable smart card support for sudo.

4 Select the Enabled option and click OK.

Enabling protected keychains

On OS X 10.11, you can enable the Enable protected keychain group policy to create a keychain protected by either a smart card token or a password and set it as the default keychain, depending on the log in type. Once the Enable protected keychain group policy takes effect, the token-protected keychain can only be unlocked with a PIN when the associated smart card is present.

In addition, you can select options in the group policy that allow users who forget or lose their smart card to continue to log in with a password. In this case, a new password-protected keychain is created to ensure users can continue to log in to their account; however, keychain items are not transferred from the token-protected keychain to the password-protected keychain.

This feature is not supported on OS X 10.10 and earlier.

Note When the smart card is renewed it will no longer unlock the token-protected keychain. There is no way to export a token-protected keychain; you will have to recreate the keychain items in the new token-protected keychain. In addition, if a smart card is lost, there is no way to recover items from the token-protected keychain.

To create a smart card token protected keychain

1 Enable the Enable protected keychain group policy (User Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Keychain Policies > Enable protected keychain).

2 Select the Set as user default keychain option to make the protected keychain the default keychain.

Th group policy switches the default keychain depending on login type (smart card login or password login). This option is selected by

Administrator’s Guide for Mac 360

Configuring smart card login

default, and is required to be able to log in with a password after this group policy takes effect.

3 Select the Delete the Password protected ‘Login’ Keychain after login option to delete the existing password protected ‘Login’ keychain.

This removes existing keychains that can be unlocked without a smart card. This option is deselected by default, but is required to be able to log in with a password after this group policy takes effect without seeing keychain errors.

4 Click Apply, then click OK.

Once enabled, this policy takes effect at the next user login using smart card authentication. Connect only one smart card to the client machine to log in and create a token-protected keychain. Choosing a specific smart card to protect the keychain when multiple smart cards are present is not supported.

5 (Optional) Set parameters for when to lock the protected keychain using the following two group policies.

Lock protected keychain after number of minutes of inactivity

Lock protected keychain when sleeping

Note If you do not enable these policies, the default behavior for a new keychain is to lock after five minutes or when sleeping.

Both of these policies take effect at the next user login using smart card authentication.

Requiring smart card login

To fully support smart card login, you can do either one of the following.

Configure a computer to require smart card login by enabling the Require smart card login group policy (Computer Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Require smart card login.) When you enable this policy, no one can log into a computer for which this policy applies with a user name and password but must insert

Chapter 9 • Configuring a Mac computer for smart card login 361

Configuring smart card login

a smart card, unless you create an exception group. An exception group is simply an Active Directory group that you create and add to this group policy to allow group members to log in, if necessary, with a user name and password. The purpose of creating an exception group is to allow users to temporarily log in if they do not have their smart card in hand.

Note If you use set this policy, be certain that all users have their passwords set to never expire. Otherwise, if a password expires, a user may be unable to log in with a smart card and see a potentially confusing error message about changing their password. If you use the option to require smart card login for specific users, as explained in the next bullet, you can ignore password expiration.

Set an individual user’s account options to require login with a smart card, as shown in the following procedure. When you set this option, the user cannot interactively log in to a computer with a user name and password but must insert a smart card. Do not use this option if you want to allow specific users to log in temporarily with a user name and password in case they do not have their smart card with them. In this case, use the Require smart card login group policy and create and add an exception group.

To require smart-card login for a specific user:

1 Open the Access Manager console or Active Directory Users and Computers.

2 Select the user. For example, in the Access Manager console, open domainName > Zones > zoneName > Users > userName.

3 Right-click the userName and select Properties.

4 Select the Account tab.

5 In Account options, scroll until Smart card is required for interactive logon is visible, then select it.

6 Click OK.

Administrator’s Guide for Mac 362

Configuring smart card login

Enabling certificates that do not have the extended key usage (EKU) attribute

Normally, smart card use requires certificates that contain the extended key usage attribute. However, Windows provides a group policy that allows the use of certificates that do not have this attribute.

Note This group policy is implemented as an administrative template (.adm file), not as an xml file, as are the Centrify group policies.

To enable certificates that do not have the EKU attribute for use with smart cards:

1 Open the group policy editor and edit the GPO that contains the Linux computers enabled for smart-card login.

2 Open Computer Configuration > Policies > Administrative Templates > Windows Components > Smart Card and double-click Allow certificates with no extended key usage certificate attribute.

3 Click Enabled and click OK.

When you enable this policy, it sets the smartcard.allow.noeku parameter to true in the Centrify configuration file. Certificates with the following attributes can also be used to log on with a smart card:

Certificates with no EKU

Certificates with an All Purpose EKU

Certificates with a Client Authentication EKU

4 In a Terminal window, run the sctool command as root with the -E (--no-eku) parameter to re-enable smart card support. You must use either the -a (--altpkinit) or -k (--pkinit) parameter with the -E option; for example:sctool -E -k jsmart@acme.com

Verifying smart card configuration

After enabling smart card support, as described in Configuring smart card login, do the following to verify that a smart card is working:

Chapter 9 • Configuring a Mac computer for smart card login 363

Configuring smart card login

1 Verify that the user is enabled for the zone the Mac computer has joined.

On the Windows computer, open Activity Directory Users and Computers or the Access Manager console and view the Centrify Profile for the user. Verify that the user has a profile and is assigned to a role in the zone to which the Mac computer is joined.

2 On the Mac computer, Click Utilities > Keychain Access.

3 Insert the smart card into the reader and the keychain for the smart card certificate appears in the Keychains window, whose name is in the form, CardProfile-CardNumber, for example, CAC-4190-6145-7ACC-2122.

If the new keychain does not appear, quit and restart Keychain Access.

Administrator’s Guide for Mac 364

Configuring smart card login

4 Double-click the certificate for the user in the right-hand pane, for example, test user 3.

5 Scroll to find the NT Principal name; for example:NT Principal Name tuser3@myDomain.com

The NT Principal name in the certificate should match the UPN in Active Directory.

Enabling screen locking for smart card removal

Depending on what you consider best practices for using a smart card, you may want the screen to lock when a user removes the smart card. Enabling the Lock smart card screen policy creates a daemon that locks the screen if the user removes the smart card.

To enable screen locking when the smart card is removed from a computer:

1 Edit the Group Policy Object (GPO) linked to a site, domain, or OU that includes Mac computers, expand User Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security Settings, then double-click Lock Smart Card screen.

2 Select the Enabled option and click OK.

3 Expand User Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security Settings, then double-click Require a password to wake this computer from sleep or screen saver to require a password to unlock the screen.

4 Select the Enabled option and click OK.

This group policy creates a daemon that listens for the smart card removal event and locks the screen when it occurs.

Disabling smart card support

To disable smart card support:

1 Edit the Group Policy Object linked to a site, domain, or OU that includes Mac computers, expand Computer Configuration > User

Chapter 9 • Configuring a Mac computer for smart card login 365

Using smart card login

Configuration > Policies > Centrify Settings > Mac OS X Settings > Security, then double-click Enable smart card support.

2 Select Disabled and click OK.

When the policy takes effect, the smart card specific strings are removed from the authorization database, and the /etc/cacloginconfig.plist file is deleted.

3 Expand User Configuration > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security Settings, then double-click Lock Smart Card screen.

4 Select Disabled and click OK.

Using smart card loginWhen a user inserts a smart card into the card reader attached to a Mac computer that is waiting for login, the login dialog is replaced by a smart card enabled login (if the card is provisioned for one or more Active Directory users who are enabled for the Centrify zone to which the computer is joined). However, the actual log on screen varies depending on whether the card is provisioned for a single user or for multiple users.

How the login screen appears for a single-user card

When a user inserts a single-user card, the smart card login shows the name of the user for whom the card is provisioned, and provides a

Administrator’s Guide for Mac 366

Using smart card login

single text box in which the user can type the PIN associated with the card.

If the user is not enabled for the zone, or is not a valid Active Directory user at all, the smart card login dialog is replaced by the previous login screen, either a list of local users or username and password text entry fields.

The user will be successfully logged in if the following conditions are met:

The user enters the correct PIN for the smart card.

The card is trusted by the domain and has not been revoked. The card is checked locally first, online or offline, to ensure that the issuing certificate authority is trusted by the Mac computer via keychain trusts, which are set up when the computer joins the domain, and which are periodically refreshed

Checking is performed by the domain controller when online, and by the keychain service based on cached CRLs when offline. If the user is not connected to the network but has previously logged on — with a

Chapter 9 • Configuring a Mac computer for smart card login 367

Using smart card login

smart card or in some other way — Mac OS X gets the UPN from the card and looks up the user in the cached data.

If login fails, no feedback is provided to the user as to why the login is being denied — as is the case when logging in with a password. Information is logged into system log files that can help determine the reason for a denied login, including: /var/log/system.log, /var/log/secure.log, and the Centrify log file (/var/log/centrifydc.log) if logging is enabled.

How the login screen appears for a multi-user card

When a user inserts a multi-user card, the smart card login shows a generic username and password login screen. The user may select one of the accounts provisioned for the card by typing the account name in the Name box. In the Password box, the user must enter the PIN for the card, not the password for the account.

If the user is not enabled for the zone, or is not a valid Active Directory user at all, the smart card login dialog is replaced by the previous login screen, either a list of local users or username and password text entry fields.

Administrator’s Guide for Mac 368

Using smart card login

The user will be successfully logged in if the following conditions are met:

The user enters the correct PIN for the smart card.

The card is trusted by the domain and has not been revoked. The card is checked locally first, online or offline, to ensure that the issuing certificate authority is trusted by the Mac computer via keychain trusts, which are set up when the computer joins the domain, and which are periodically refreshed

Checking is performed by the domain controller when online, and by the keychain service based on cached CRLs when offline. If the user is not connected to the network but has previously logged on — with a smart card or in some other way — Mac OS X gets the name from the log on screen and looks up the user in the cached data.

If login fails, no feedback is provided to the user as to why the login is being denied — as is the case when logging in with a password. Information is logged into system log files that can help determine the reason for a denied login, including /var/log/system.log, /var/log/secure.log, and the Centrify log file (/var/log/centrifydc.log) if logging is enabled.

Screen saver shows password not PIN prompt

Most smart card users are allowed to log on with a smart card and PIN only — they cannot authenticate with a user name and password. However, it is possible to configure users for both smart card/PIN and user name/password authentication. Generally, this set up works seamlessly: the user either enters a user name and password at the log on prompt, or inserts a smart card and enters a PIN at the prompt.

However, for multi-user cards, it can be problematic when the screen locks and the card is in the reader. When a user attempts to unlock the screen, the system prompts for a password, not for a PIN, although the PIN is required because the card is in the reader. If the user is not aware that the card is still in the reader and enters his password multiple times, the card will lock once the limit for incorrect entries is reached.

Chapter 9 • Configuring a Mac computer for smart card login 369

Using smart card login

Understanding what happens after login

A user who is logged in with a smart card has access to the same Mac and Access Manager features and behaviors as a user who is logged in with a username and password. For example, the user’s network home directory is mounted (if so configured), a mobile user is created (if enabled in Group Policy), and so on.

Note In general the user experience is the same in both connected and disconnected modes, with the exception of single sign-on (SSO). Because Access Manager does not cache the smart card’s PIN, SSO is only available for smart card login while connected to the domain.

Of course, certain behaviors and system responses are specific to smart card login:

If the user removes the smart card after login, the response of the system depends on whether the group policy Lock smart card screen is enabled in the domain. If it is enabled (and the System Preference to require a password after the screen saver begins is not set), the screen locks. Otherwise, the screen does not lock and the user may continue working.

If the user inserts a smart card while the screen saver is active, the response depends on whether Lock smart card screen is enabled in the domain. If it is, the screen saver deactivates. If the policy is not enabled, the screen saver continues running until the user moves the mouse or touches a key.

When the screen saver deactivates, the system response depends on the following:

If Require password to wake this computer from sleep or screen saver (and the local version of this policy, if it is not overridden by group policy) is set, the user is prompted to authenticate when the screen saver is deactivated.

Otherwise, if Lock smart card screen is set, and the screen saver was activated by the user removing the smart card, the user is prompted to authenticate.

If neither of these policies is set, the user is not prompted to authenticate when the screen saver deactivates.

Administrator’s Guide for Mac 370

Using smart card login

If the user is prompted to authenticate when the screen saver deactivates, the type of prompt depends on whether a smart card is inserted into the reader at that moment, and the type of card. If a single-user smart card is inserted into the reader, the user is prompted for the PIN associated with that card. If a multi-user smart card is inserted into the reader, the user is prompted for a name and password — note, however, that the Password box requires the PIN for the card, not the user account password.

If a card is not inserted in the reader, the user is not prompted for a password. The reason the screen saver was activated (smart card removal or idle time) has no effect on the type of prompt that is issued when the screen saver deactivates.

Do not use local users who conflict with Active Directory users

When you configure a user for a smart card be certain that the Active Directory username does not match that of a local user.

In general, to avoid potential conflicts, Centrify Corporation does not recommend creating a local user with the same username as an Active Directory user, although such a configuration does not necessarily cause problems. However, configuring a smart card user with the same name as a local user is inherently unstable and can cause unpredictable results.

For a standard login, a local user is always logged in instead of an Active Directory user of the same name because the local account database is checked for authentication before Active Directory. However, the authentication mechanism is different for smart card login, so the Active Directory user on the card will be authenticated instead of the local user, unless the local user has been configured explicitly for the smart card.

Although the Active Directory user is logged in, some commands and applications will look up and apply information for the local user because the Mac directory database is consulted before Active Directory. This means that some of the group policy settings for smart card will not be applied to the Active Directory user and the smart card will not operate properly.

Chapter 9 • Configuring a Mac computer for smart card login 371

Troubleshooting smart card log in

How smart card log in works with fast user switching

Fast user switching enables a user to log in to a computer with a different account without logging out the first account. If a user is logged in with a smart card, fast user switching does not work.

If you want to switch to a different user, you must unplug the smart card to so. The following procedure shows how to work around the smart-card limitation on fast user switching.

To perform fast user switching when logged in with a smart card

1 With fast user switching enabled, log in to a Mac computer using a smart card — for this example, assume a single-user card provisioned with the name scuser.

2 Switch to a different, non-smart card account (for example, normal1) and enter the password.

The login fails for the new account and you are prompted for the smart card PIN.

3 Unplug the smart card.

If the Lock smart card screen is not enabled in the domain, the desktop for normal1 is displayed.

If this policy is enabled, the screen is locked. You can unlock the screen by logging in as normal1.

Troubleshooting smart card log inIf you have problems with smart card logon, Access Manager provides a command-line tool, sctool, which you can run to configure smart card logon, as well as to provide diagnostic information. See "Understanding sctool" on page 12-417 or the sctool man page.

Additional smart card diagnostic procedures are provided in "Diagnosing smart card log in problems" on page 11-409.

Administrator’s Guide for Mac 372

Configuring web browsers and mail clients

Configuring web browsers and mail clientsThe subsections in this section provide tips for configuring different web browsers and mail clients to work with Centrify Smart Card on Mac computers. The following topics are covered:

Using Microsoft Outlook 2011 for signed and encrypted mail

Using Safari to access protected web sites

Using Chrome to access protected web sites

Enabling Firefox and Thunderbird to access protected web sites

Using Microsoft Outlook 2011 for signed and encrypted mail

To use Outlook for Mac 2011 to send and receive encrypted email, you must have a valid digital certificate. After you have downloaded and imported the appropriate intermediate certificates for your smart card, you can configure Microsoft Outlook 2011 to sign email with your certificate and send encrypted mail.

To send a digitally signed message:

1 Log on the Mac and open Microsoft Outlook.

2 On the Tools menu, click Accounts.

3 Select the account from which you want to send a digitally signed message.

4 Click Advanced, then click the Security tab.

5 Under Digital signing, click the Certificate menu, then select the certificate that you want to use.

6 Click Include my certificates in signed messages check box if all of your recipients have email that supports digital signing and encryption.

7 Click OK, then close the Accounts dialog box.

Chapter 9 • Configuring a Mac computer for smart card login 373

Configuring web browsers and mail clients

8 When composing email messages, click the Options tab, click Security, then click Digitally Sign Message.

To send an encrypted message:

1 Log on the Mac and open Microsoft Outlook.

2 On the Tools menu, click Accounts.

3 Select the account from which you want to send an encrypted message.

4 Click Advanced, then click the Security tab.

5 Under Encryption, click the Certificate menu, then select the certificate that you want to use.

6 Click OK, then close the Accounts dialog box.

7 When composing email messages, click the Options tab, click Security, then click Encrypt Message.

To send an encrypted message, you must have the public certificate of the user to whom you are sending the mail message. If the recipient is a contact in your address book, this certificate is typically available on the Certificates tab in Outlook. If you do not have the certificate, Outlook will not create an encrypted mail message. However, if the name of the person matches a contact in your address book, Outlook encrypts the message before sending it.

For more information about managing digital certificates and sending and receiving encrypted email in Outlook for Mac 2011, see the Microsoft topic How users manage digital certificates in Outlook for Mac 2011.

Using Safari to access protected web sites

If you want to use a smart card to access restricted Web sites — such as those for the Department of Defense (DOD) — using Safari as your web browser, you should configure the certificate to use for authentication.

Administrator’s Guide for Mac 374

Configuring web browsers and mail clients

To configure a certificate for the smart card:

1 If you have Safari open, choose the Safari menu, then click Quit Safari.

2 Insert your smart card in the reader, then navigate to Utilities and open Keychain Access.

3 Select the provisioned CAC keychain for your smart card.

4 From Category list, select My Certificates.

5 Right-click the certificate you want to use to authenticate your identity. In most cases, you should select the Authentication Private Key certificate or the Digital Signature Private Key certificate, depending on the web site you want to view.

6 Select New Identity Preference.

7 Type the complete URL for the web site you want to access, then click Add. For example:https://akocac.us.army.mil/https://www.jtfgno.mil/

Using Chrome to access protected web sites

If you want to use a smart card to access restricted Web sites — such as those for the Department of Defense (DOD) — using Google Chrome as your web browser, you should configure the certificate to use for authentication.

To configure a certificate for the smart card:

1 If you have Chrome open, choose the Chrome menu, then click Quit Google Chrome.

2 Insert your smart card in the reader, then navigate to Utilities and open Keychain Access.

3 Select the provisioned CAC keychain for your smart card.

4 From Category list, select My Certificates.

5 Right-click the certificate you want to use to authenticate your identity. In most cases, you should select the Authentication

Chapter 9 • Configuring a Mac computer for smart card login 375

Configuring web browsers and mail clients

Private Key certificate or the Digital Signature Private Key certificate, depending on the web site you want to view.

6 Select New Identity Preference.

7 Type the complete URL for the web site you want to access, then click Add. For example:https://akocac.us.army.mil/https://www.jtfgno.mil/

Enabling Firefox and Thunderbird to access protected web sites

Firefox and Thunderbird cannot be used with a smart card for secure browsing and e-mail signing because they require a PKCS#11 module and Centrify Management Services for Mac ships with Tokend only, not with PKCS#11. However, Apple provides an open-source module, TokenPKCS11.so, which can act as a shim between Tokend and PKCS#11. Centrify provides group policies that allow you to install the TokenPKCS11.so module to provide the PKCS#11 interface to Firefox and Thunderbird.

The following group policies, located in User Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy, enable Firefox and Thnderbird to be used with a smart card:

Allow NSSDB based applications to use smart card allows NSSDB-based applications to use a smart card and adds Firefox and Thunderbird to the list of applications.

NSSDB based applications allowed to use smart card loads the TokenPKCS11 module to the appropriate location for Firefox and Thunderbird.

To enable smart card use with Firefox and Thunderbird:

1 Enable the “Enable smart card support” policy:

Computer Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Enable smart card support.

Administrator’s Guide for Mac 376

Configuring web browsers and mail clients

Click OK.

2 Enable the “Allow NSSDB based applications to use smart card” group policy.

User Configuration > Policies > User Configuration > Policies > Centrify Settings > Mac OS X Settings > Security & Privacy > Allow NSSDB based applications to use smart card

Click OK.

3 Open the “NSSDB based applications allowed to use smart card” group policy.

This policy loads the TokenPKCS11 module to a specified location. Note that enabling “Allow NSSDB based applications to use smart card” automatically added the appropriate locations for Firefox and Thunderbird.

Click OK.

4 In the Centrify configuration file, set the smartcard.name.mapping parameter to true.

This parameter allows the use of multi-user smart cards. See Enabling support for multi-user PIV and multi-user smart cards for more information.

5 In a Terminal window, run adgpupdate and adreload to apply the group policy and configuration parameter changes.

To verify that Firefox and Thunderbird are configured for smart card users:

1 Use a smart card to log in to the computer.

2 Open Firefox (and Thunderbird) and click Options > Advanced > Certificates > Security Devices.

You should see the Centrify PKCS #11 Module.

3 Open Firefox (and Thunderbird) and click Options > Advanced > Certificates > View Certificates > Authorities.

You should see U.S Government.

4 Open Firefox, type and type https://10.100.2.133 in the address bar.

Chapter 9 • Configuring a Mac computer for smart card login 377

Configuring web browsers and mail clients

You are prompted to select the certificate.

5 After selecting the certificate, the web page should load successfully.

6 Open Thunderbird and configure smart card e-mail.

You should be able to send encrypted e-mail and decrypt encrypted e-mails from othr users.

Administrator’s Guide for Mac 378